b'TREASURY INSPECTOR GENERAL FOR TAX ADMINISTRATION\n\n\n\n\n                   Customer Account Data Engine Release 4\n                    Includes Most Planned Capabilities and\n                     Security Requirements for Processing\n                      Individual Tax Account Information\n\n\n\n                                         August 28, 2009\n\n                              Reference Number: 2009-20-100\n\n\n\n\n This report has cleared the Treasury Inspector General for Tax Administration disclosure review process\n  and information determined to be restricted from public release has been redacted from this document.\n\n\n\n Phone Number | 202-622-6500\n Email Address | inquiries@tigta.treas.gov\n Web Site      | http://www.tigta.gov\n\x0c                                                DEPARTMENT OF THE TREASURY\n                                                     WASHINGTON, D.C. 20220\n\n\n\n\nTREASURY INSPECTOR GENERAL\n  FOR TAX ADMINISTRATION\n\n\n\n\n                                                August 28, 2009\n\n\n MEMORANDUM FOR COMMISSIONER, WAGE AND INVESTMENT DIVISION\n                CHIEF TECHNOLOGY OFFICER\n\n\n FROM:                    (for) Michael R. Phillips\n                                Deputy Inspector General for Audit\n\n SUBJECT:                        Final Audit Report \xe2\x80\x93 Customer Account Data Engine Release 4\n                                 Includes Most Planned Capabilities and Security Requirements for\n                                 Processing Individual Tax Account Information (Audit # 200920020)\n\n This report presents the results of our review of the Customer Account Data Engine1 (CADE)\n Release 4 capabilities. The overall objectives of this review were to assess the accuracy and\n completeness of the CADE Release 4 capabilities to enhance the processing of tax return\n information, determine whether this release provides the intended benefits to the Internal\n Revenue Service (IRS) and taxpayers, and determine whether the IRS has taken effective actions\n to correct security vulnerabilities on prior CADE system releases. This review was part of the\n Treasury Inspector General for Tax Administration Fiscal Year 2009 Annual Audit Plan\n coverage under the major management challenge of Modernization of the IRS.\n\n Impact on the Taxpayer\n The IRS has developed a strategy for a phased replacement of its computer systems to better\n support today\xe2\x80\x99s tax laws, policies, and taxpayer needs. The CADE is a major component of the\n IRS modernization program. The modernized CADE database allows the IRS to update taxpayer\n accounts, support account settlement and maintenance, and process refunds on a daily basis,\n which will contribute to improved service to taxpayers. CADE Release 4 is operating effectively\n to help the IRS provide these improved services to taxpayers. However, there are security\n concerns that have not been adequately addressed.\n\n\n\n 1\n     See Appendix VI for a glossary of terms.\n\x0c                           Customer Account Data Engine Release 4\n                Includes Most Planned Capabilities and Security Requirements\n                      for Processing Individual Tax Account Information\n\n\n\n\nSynopsis\nThe IRS completed deployment of CADE Release 4.1 in July 2008 and CADE Release 4.2 in\nJanuary 2009. From January through May 2009, the CADE had processed almost 40 million tax\nreturns (approximately 30 percent of all individual tax returns filed) and generated almost\n$58 billion in refunds.\nIn addition to new tax law changes, CADE Release 4 added processing for tax returns with a\nsurviving spouse filing status and tax returns for decedent taxpayers. This release also allows\ntaxpayers to make changes to their last name and accepts the Application for Automatic\nExtension of Time To File U.S. Individual Income Tax Return (Form 4868) filed by taxpayers.\nFurther, this release generates notices to taxpayers eligible to receive the Additional Child Tax\nCredit or informs taxpayers that their refunds will be mailed to them versus electronically\ndeposited.\nOur review of CADE Release 4 processing found that some planned capabilities were not\ncompletely implemented. We identified problems with processing tax returns for decedent\ntaxpayers and with the Treasury Offset Program. When these conditions were recognized by the\nIRS, it implemented steps to correct these processing problems.\nSeveral planned capabilities for CADE Release 4 were deferred because of other programming\npriorities. These capabilities included: 1) maintaining accounts in the CADE after processing\nthe filing of prior year tax returns, 2) processing electronic revenue receipts submitted with\noriginal tax returns, 3) establishing an account on the CADE to accept a taxpayer\xe2\x80\x99s estimated tax\npayment (estimated tax declaration), 4) Criminal Investigation Division refund holds, and\n5) credit elections for the current tax year returns. The IRS decided to defer implementation of\nprocessing estimated tax declarations, Criminal Investigation Division refund holds, and credit\nelections until the development of CADE Release 5.2. The IRS also informed us that it is\nreconsidering the plans and requirements for future CADE releases, leaving uncertain the\nimplementation of the processing of prior year tax returns and electronic revenue receipts.\nOur review also identified tax returns processed by CADE Release 4 with incomplete\ninformation. Initially, the IRS did not process these tax returns and requested that the taxpayers\nrespond with complete information. When the taxpayers responded to the IRS, the record of the\ncorrespondence received date was not shown on the CADE. However, the Modernized Database\ncaptured the correspondence received date, which showed the updated tax return filing date.\nAnalysis of the updates showed that returns were filed in a timely manner and any interest\npayments on tax refunds due to processing delays were properly processed. However, because\nthe CADE account information did not capture and display the taxpayers\xe2\x80\x99 correspondence\nreceived date, there is a potential that subsequent activity by the IRS may result in inappropriate\naccount actions or adjustments.\n\n                                                                                                    2\n\x0c                               Customer Account Data Engine Release 4\n                    Includes Most Planned Capabilities and Security Requirements\n                          for Processing Individual Tax Account Information\n\n\nSubsequent to our review, the IRS informed us that it took actions to resolve the issue of the\nmissing correspondence received date by performing program adjustments that were deployed\nwith CADE Release 4.2 on January 19, 2009. The IRS is also in the process of correcting\naccounts previously processed with Release 4.1.\nThe IRS has taken steps to address all 16 CADE system security vulnerabilities presented in our\nreport, entitled The Internal Revenue Service Deployed Two of Its Most Important Modernized\nSystems With Known Security Vulnerabilities,2 and has fully resolved 10 of them. The remaining\nsix security vulnerabilities cannot be resolved until actions are completed to ensure controls are\neffectively in place or have been approved as deviations to IRS policy. Further, we found that\nthe IRS prematurely reported resolution of six vulnerabilities in the Plan of Action and\nMilestones listing before effective corrective actions were taken. Three of these six\nvulnerabilities were not fully resolved as of the date of our review.\n\nRecommendation\nThe Chief Technology Officer should direct the Cybersecurity organization to take actions that\nensure the CADE and mainframe computer system owners appropriately enter and track system\nvulnerabilities on control systems, including the Plan of Action and Milestones listing and Item\nTracking Reporting and Control System, and verify corrective actions are fully implemented\nbefore they are considered and reported as resolved.\n\nResponse\nThe IRS agreed with our recommendation. The Cybersecurity organization will continue to\nimprove the process to ensure that system owners comply with IRS policy to enter and track all\nsystem vulnerabilities in IRS control systems. Management\xe2\x80\x99s complete response to the draft\nreport is included as Appendix VII.\nCopies of this report are also being sent to the IRS managers affected by the report\nrecommendation. Please contact me at (202) 622-6510 if you have questions or\nMargaret E. Begg, Acting Assistant Inspector General for Audit (Security and Information\nTechnology Services), at (202) 622-8510.\n\n\n\n\n2\n    Reference Number 2008-20-163, dated September 24, 2008.\n                                                                                                   3\n\x0c                                  Customer Account Data Engine Release 4\n                       Includes Most Planned Capabilities and Security Requirements\n                             for Processing Individual Tax Account Information\n\n\n\n\n                                            Table of Contents\n\nBackground ..........................................................................................................Page 1\n\nResults of Review ...............................................................................................Page 3\n          Customer Account Data Engine Release 4 Accurately Processes\n          and Records Tax Return and Tax Account Information, Although\n          Some Planned Capabilities Were Not Implemented ................................ Page 3\n          Further Work Is Necessary to Alleviate Known Customer Account\n          Data Engine System Security Vulnerabilities...............................................Page 7\n                    Recommendation 1:..........................................................Page 9\n\n\nAppendices\n          Appendix I \xe2\x80\x93 Detailed Objectives, Scope, and Methodology.......................Page 10\n          Appendix II \xe2\x80\x93 Major Contributors to This Report ........................................Page 15\n          Appendix III \xe2\x80\x93 Report Distribution List .......................................................Page 16\n          Appendix IV \xe2\x80\x93 Customer Account Data Engine Release Capabilities .........Page 17\n          Appendix V \xe2\x80\x93 Customer Account Data Engine System Security\n          Vulnerabilities and Status of Resolution.......................................................Page 22\n          Appendix VI \xe2\x80\x93 Glossary of Terms................................................................Page 25\n          Appendix VII \xe2\x80\x93 Management\xe2\x80\x99s Response to the Draft Report.....................Page 27\n\x0c                  Customer Account Data Engine Release 4\n       Includes Most Planned Capabilities and Security Requirements\n             for Processing Individual Tax Account Information\n\n\n\n\n                      Abbreviations\n\nCADE            Customer Account Data Engine\nIRS             Internal Revenue Service\n\x0c                                 Customer Account Data Engine Release 4\n                      Includes Most Planned Capabilities and Security Requirements\n                            for Processing Individual Tax Account Information\n\n\n\n\n                                               Background\n\nThe Customer Account Data Engine1 (CADE) is a major\ncomponent of the Internal Revenue Service\xe2\x80\x99s (IRS)               The CADE is a critical building\nmodernization program. It consists of current and planned      block in the IRS modernization\n                                                                 program that will enable the\ndatabases and related applications that work with the IRS        development of subsequent\nMaster File system.                                            modernized systems to improve\n                                                              customer service and compliance.\nTax returns, both paper and electronic, are received by the\nIRS at various Submission Processing sites across the\ncountry. At these sites, the tax return information is input\nto the IRS return processing computer system, which validates certain taxpayer identifying\ninformation and checks the tax returns for mathematical errors. After the tax return information\nhas been validated and errors have been corrected, the sites send the information to the IRS\nComputing Centers for posting to the taxpayers\xe2\x80\x99 accounts. In the past, this account information\nwas posted to the Master File system.\nThe age and complexity of the Master File system cause inaccuracies and delays in providing\nservice to taxpayers. Currently, updates to taxpayers\xe2\x80\x99 account information on the Master File,\nsuch as posting return information and payments, occur on a weekly basis and some updates\nrequire multiple weeks to complete. Because current data are not available to IRS employees,\ntaxpayers requesting help with their accounts may be given outdated information. In contrast,\nthe CADE posts information to taxpayers\xe2\x80\x99 accounts on a daily rather than a weekly basis.\nTaxpayers whose tax account information is posted to the CADE receive refunds faster, and IRS\nemployees are able to provide improved service to taxpayers because the employees have\nup-to-date, accurate account information available.\nThe IRS has developed a strategy for a phased replacement of its computer systems to better\nsupport today\xe2\x80\x99s tax laws, policies, and taxpayer needs. The CADE is being implemented in a\nseries of releases over several years. The simplest taxpayer accounts were moved to the CADE\nfirst, and each successive release adds a more complex segment of taxpayer accounts. The first\nCADE release began posting the simplest individual tax returns, the Income Tax Return for\nSingle and Joint Filers With No Dependents (Form 1040EZ), in July 2004. Subsequent releases\nhave added new capabilities and tax forms. The subject of this review, CADE Release 4, began\nposting returns in July 2008 and contained significant additions over the prior releases.\nLike all Federal Government agencies, the IRS is required to protect its computer systems by\nimplementing appropriate security controls to ensure the confidentiality, integrity, and\n\n\n1\n    See Appendix VI for a glossary of terms.\n                                                                                          Page 1\n\x0c                              Customer Account Data Engine Release 4\n                   Includes Most Planned Capabilities and Security Requirements\n                         for Processing Individual Tax Account Information\n\n\n\navailability of sensitive data, as recommended in National Institute of Standards and Technology\nSpecial Publication 800-53.2 In addition, the IRS is specifically required by Federal law to keep\ntaxpayer data confidential and to prevent unauthorized disclosure or browsing of taxpayer\nrecords. Section 6103 of the Internal Revenue Code3 prohibits the disclosure of tax returns and\ntax return information and requires that the storage of such information be secure and the access\nrestricted to only those persons whose duties and responsibilities require access.\nIn September 2008, we reported4 that the IRS continued to deploy CADE releases even though\nknown security weaknesses existed in the controls over system access, monitoring of system\naccess, disaster recovery, and sensitive data protection. As a result, the IRS was jeopardizing the\nconfidentiality, integrity, and availability of an increasing volume of tax information for millions\nof taxpayers as CADE releases were put into operation.\nThis review was performed in the Wage and Investment Division CADE Project Office and the\nCybersecurity organization in New Carrollton, Maryland, during the period November 2008\nthrough May 2009. We conducted this performance audit in accordance with generally accepted\ngovernment auditing standards. Those standards require that we plan and perform the audit to\nobtain sufficient, appropriate evidence to provide a reasonable basis for our findings and\nconclusions based on our audit objectives. We believe that the evidence obtained provides a\nreasonable basis for our findings and conclusions based on our audit objectives. This review was\npart of the Treasury Inspector General for Tax Administration Fiscal Year 2009 Annual Audit\nPlan coverage under the major management challenge of Modernization of the IRS. Detailed\ninformation on our audit objectives, scope, and methodology is presented in Appendix I. Major\ncontributors to the report are listed in Appendix II.\n\n\n\n\n2\n  Recommended Security Controls for Federal Information Systems, Revision 1, published December 2006.\n3\n  26 U.S.C. Section (\xc2\xa7) 6103.\n4\n  The Internal Revenue Service Deployed Two of Its Most Important Modernized Systems With Known Security\nVulnerabilities (Reference Number 2008-20-163, dated September 24, 2008).\n                                                                                                     Page 2\n\x0c                            Customer Account Data Engine Release 4\n                 Includes Most Planned Capabilities and Security Requirements\n                       for Processing Individual Tax Account Information\n\n\n\n\n                                 Results of Review\n\nCustomer Account Data Engine Release 4 Accurately Processes and\nRecords Tax Return and Tax Account Information, Although Some\nPlanned Capabilities Were Not Implemented\nThe IRS completed deployment of CADE Release 4.1 in\nJuly 2008 and CADE Release 4.2 in January 2009. From\nJanuary through May 2009, the CADE had processed                 The CADE processed almost\n                                                                   40 million tax returns and\nalmost 40 million tax returns (approximately                           generated almost\n30 percent of all individual tax returns filed) and generated     $58 billion in refunds from\nalmost $58 billion in refunds. This is a significant              January through May 2009.\nincrease over the 30 million tax returns processed in\nCalendar Year 2008.\nIn addition to new tax law changes, CADE Release 4 added processing for tax returns with a\nsurviving spouse filing status and tax returns for decedent taxpayers. Further, this release allows\ntaxpayers to make changes to their last name and accepts the Application for Automatic\nExtension of Time To File U.S. Individual Income Tax Return (Form 4868) filed by taxpayers.\nThis release also generates notices to taxpayers eligible to receive the Additional Child Tax\nCredit or informs taxpayers that their refunds will be mailed to them versus electronically\ndeposited. Appendix IV provides an overview of the capabilities delivered in each of the CADE\nreleases.\n\nThe IRS took appropriate actions to correct CADE processing problems with\nCADE Release 4.1\nThe major capabilities added to CADE Release 4.1 included processing tax returns with a\nsurviving spouse filing status with dependent child and tax returns of decedent taxpayers.\nFurther, Release 4.1 generates the Additional Child Tax Credit Notice to eligible taxpayers who\ndid not claim the full amount of the Child Tax Credit and generates the Electronic Fund Transfer\nNotice notifying taxpayers that their electronic refund request cannot be honored. This release\nalso accepts the Treasury Offset Program transactions and processes changes to taxpayer\naddresses.\nWe sampled transactions to determine whether the release properly implemented these\ncapabilities for tax return processing and found that these capabilities were generally\nimplemented adequately. However, we identified the following Release 4.1 processing problems\nand presented them to CADE project management for resolution.\n\n                                                                                            Page 3\n\x0c                                 Customer Account Data Engine Release 4\n                      Includes Most Planned Capabilities and Security Requirements\n                            for Processing Individual Tax Account Information\n\n\n\n       \xe2\x80\xa2   Tax Returns of Decedent Taxpayers \xe2\x80\x93 The CADE did not always update the decedent\n           taxpayer account to indicate that the taxpayer is deceased. Specifically, the taxpayer\n           account name line was not always updated indicating the taxpayer was deceased, and the\n           date of death was not always added to the account. Indicating the taxpayer is deceased\n           on the account name line enables the mail filing requirement associated with the taxpayer\n           to be updated to avoid sending forms to a deceased taxpayer. Providing the date of death\n           on the account initiates a process to prepare a refund for either a surviving spouse or\n           designated representative as applicable.\n           When the CADE project team recognized this issue, it implemented corrective actions to\n           resolve the problem. In addition, the CADE project team reviewed the accounts that\n           were not accurately updated and determined that accounts with an inaccurate mail filing\n           requirement were not affected by the absence of the decedent designation on the taxpayer\n           name line of the tax returns. However, for accounts that did not include the date of death,\n           some refund checks were inappropriately issued to deceased taxpayers, but none were\n           returned as undeliverable.\n       \xe2\x80\xa2   Treasury Offset Program \xe2\x80\x93 This program is administered by the Treasury Financial\n           Management Service and will apply a taxpayer\xe2\x80\x99s overpayment to outstanding non-tax\n           child support or Federal agency debt prior to issuing a refund. Our reviews found that\n           CADE accounts with multiple refunds issued by the IRS on different dates (tax refunds\n           and Economic Stimulus Act of 20085 payments) affected by the Treasury Offset Program\n           were correctly paid to the Treasury Financial Management Service. However, the CADE\n           programming did not allow IRS systems to display the offset of the other Federal debts\n           for taxpayers with multiple refunds. This condition was presented to the CADE project\n           team and the team implemented corrective actions to resolve the problem.\n       \xe2\x80\xa2   Processing the Filing of Prior Year Tax Returns \xe2\x80\x93 Planned capabilities for CADE\n           Release 4.1 included processing prior year returns (filed for Tax Year 2003 and later) for\n           taxpayers meeting certain filing conditions. Requirements for processing the eligible\n           prior year tax returns did not consider processing routines to capture account information\n           on the Taxpayer Information File for potential account adjustment activity by the\n           Integrated Data Retrieval System. Currently, these processing routines prevent prior year\n           returns from being maintained on the CADE system and require transfer of the taxpayer\n           account to the Individual Master File for processing.\n           The IRS determined that modifications to the CADE program to allow processing of the\n           prior year tax returns would involve very complex and extensive programming changes.\n           Because of the additional programming necessary and the anticipated small volume of\n           prior year returns, the IRS decided to defer implementation of this capability until the\n\n\n5\n    Pub. L. 110-185, 122 Stat. 613.\n                                                                                               Page 4\n\x0c                                 Customer Account Data Engine Release 4\n                      Includes Most Planned Capabilities and Security Requirements\n                            for Processing Individual Tax Account Information\n\n\n\n           development of CADE Release 5. Subsequently, the IRS informed us that it is\n           reconsidering the plans and requirements for future CADE releases, leaving the\n           implementation of the capability to fully process and retain prior year returns with the\n           CADE uncertain. Our review determined that this capability involved a relatively small\n           number of taxpayer accounts. Through April 17, 2009, 24,561 taxpayers filed\n           25,058 prior year tax returns that could not be maintained on the CADE and were\n           transferred to the Individual Master File for processing.\n      \xe2\x80\xa2    Missing Correspondence Received Date \xe2\x80\x93 Our review identified tax returns processed\n           by CADE Release 4 that originally had incomplete information and required the IRS to\n           correspond with the taxpayer. Initially, the IRS did not process these tax returns and\n           requested that the taxpayers respond with complete information. When taxpayers\n           responded to the IRS, the record of the correspondence received date was not shown on\n           the CADE. However, the Modernized Database captured the correspondence received\n           date, which showed the updated tax return filing date.\n           Analysis of the updates showed that returns were filed in a timely manner and any\n           interest payments on tax refunds due to processing delays were properly processed.\n           However, because the CADE account information did not capture and display the\n           taxpayers\xe2\x80\x99 correspondence received date, there is a potential that subsequent activity by\n           the IRS may result in inappropriate account actions or adjustments.\n           Management Action: Subsequent to our review of the returns with incomplete\n           information, the IRS informed us that it took actions to resolve the issue of the missing\n           correspondence received date by performing program adjustments that were deployed\n           with CADE Release 4.2 on January 19, 2009. The IRS is also in the process of correcting\n           accounts previously processed with Release 4.1.\n\nOther programming priorities prevented the implementation of some planned\ncapabilities for CADE Release 4.2\nThe major capabilities added to CADE Release 4.2 included processing applications for\nextensions to file tax returns, updating account with taxpayer name changes, and generating\nnotices to taxpayers of the potential to claim the Earned Income Credit. Also, capabilities\ninclude accepting full payment of the balance due on tax returns, some estimated tax payments,\nand payments received with extensions of time to file tax returns. The IRS also enhanced the\nCADE balance and control processing for tax payments and the ability to determine the presence\nof penalty and debit interest situations. Returns with penalty and debit interest should not be\nrecorded in the CADE. Instead, the transaction and the taxpayer\xe2\x80\x99s account should be restored to\nthe Individual Master File. Further, this release processes the Economic Stimulus\nPayment/Recovery Rebate Credit.6 Based on our sampled transactions and the documentation\n\n6\n    Pub. L. No. 110-185, 122 Stat. 613.\n                                                                                               Page 5\n\x0c                           Customer Account Data Engine Release 4\n                Includes Most Planned Capabilities and Security Requirements\n                      for Processing Individual Tax Account Information\n\n\n\nreviewed, we determined that the release properly implemented these capabilities for tax return\nprocessing. However, we identified the following Release 4.2 development and processing\nproblems.\n   \xe2\x80\xa2   Revenue Receipt Transactions \xe2\x80\x93 The planned CADE capabilities for Release 4.2\n       included acceptance of revenue receipt transactions resulting from remittances received\n       in full payment with original tax returns, estimated tax payments and declarations, and\n       payments received with requests for extension of time to file. Our review found that tax\n       returns filed with electronic remittances processed through the Electronic Federal Tax\n       Payment System could not be processed by the CADE.\n       Electronic remittances processed through the Electronic Federal Tax Payment System\n       require a routine to capture account information on the Taxpayer Information File for\n       potential account adjustment activity by the Integrated Data Retrieval System. Similar to\n       the problems discussed previously in processing filings of prior year returns, these\n       processing routines prevent the accounts from being eligible for CADE processing and\n       require processing by the Individual Master File. Through May 15, 2009, almost\n       5.4 million taxpayers filed tax returns with a remittance through the CADE, which\n       included more than 703,000 (13 percent) electronic remittances processed through the\n       Electronic Federal Tax Payment System. Virtually all of the returns with electronic\n       remittances originally accepted for CADE processing required transfer to the Individual\n       Master File to be able to accept the tax account information and process the payment.\n       The IRS determined that modifications to the CADE program to allow processing of\n       electronic remittances would involve programming changes in coordination with the\n       Electronic Federal Tax Payment System. As discussed previously, the IRS informed us\n       that it is reconsidering the plans and requirements for future CADE releases. As a result,\n       the implementation of the CADE capability to process remittances received with original\n       tax returns using the Electronic Federal Tax Payment System is uncertain.\n       Further, because of other programming priorities, the capability for the CADE to process\n       certain estimated tax payments was also deferred. This capability has been deferred to\n       CADE Release 5.2, scheduled for deployment in January 2010.\n   \xe2\x80\xa2   Criminal Investigation Division Refund Hold \xe2\x80\x93 The Criminal Investigation Division\n       Electronic Fraud Detection System processes tax returns in parallel with the CADE and\n       the Individual Master File. When this System detects a suspicious tax return, the refund\n       issuance is suspended until the circumstances about its propriety are resolved. Because\n       of other programming priorities, the capability for the CADE to perform the Criminal\n       Investigation Division refund hold has been deferred to CADE Release 5.2, scheduled for\n       deployment in January 2010.\n\n\n\n                                                                                           Page 6\n\x0c                                  Customer Account Data Engine Release 4\n                       Includes Most Planned Capabilities and Security Requirements\n                             for Processing Individual Tax Account Information\n\n\n\n       \xe2\x80\xa2   Credit Election Processing \xe2\x80\x93 Because of other programming priorities, the capability for\n           the CADE to process tax credit elections on current year tax returns has been deferred to\n           CADE Release 5.2, scheduled for deployment in January 2010.\n\nFurther Work Is Necessary to Alleviate Known Customer Account\nData Engine System Security Vulnerabilities\nOur report entitled The Internal Revenue Service Deployed Two of Its Most Important\nModernized Systems With Known Security Vulnerabilities identified 16 security vulnerabilities in\nthe CADE system environment. The IRS has taken steps to address all 16 of the reported\nvulnerabilities and has fully resolved 10 of them. The remaining six security vulnerabilities\ncannot be resolved until actions are completed to ensure controls are effectively in place or have\nbeen approved as deviations to IRS policy. Appendix V presents the previously reported\nsecurity vulnerabilities with the CADE system and the status of their resolution.\n\nOversight to track the status of vulnerabilities until resolution needs\nimprovement in the \xe2\x80\x9cPlan of Action and Milestones\xe2\x80\x9d listing\nIRS policy specifies that all computer system weaknesses from any valid source should be\nentered in the Plan of Action and Milestones listing. IRS system owners must track the status of\nthe resolution of all weaknesses and verify that each weakness is corrected before reporting the\nitem as resolved on the listing.\nThe IRS is required to quarterly submit to the Department of the Treasury and the Office of\nManagement and Budget a Plan of Action and Milestones listing system weaknesses. The Office\nof Management and Budget uses the information to assess the agency\xe2\x80\x99s progress in alleviating\nsystem weaknesses, monitor the Federal Government\xe2\x80\x99s ability to implement the Federal\nInformation Security Management Act of 2002,7 and make budgetary decisions. Inaccurate or\nincomplete Plan of Action and Milestones listing information affects the Office of Management\nand Budget\xe2\x80\x99s ability to obtain an accurate status of IRS security weakness remediation.\nOf the 16 previously reported vulnerabilities, 13 were directly related to National Institute of\nStandards and Technology Special Publication 800-53 system controls that are required to be\ntracked in the Plan of Action and Milestones listings. The remaining three vulnerabilities were\nprivacy weaknesses, which the IRS tracks in the Item Tracking Reporting and Control System.\nWe found that the IRS prematurely reported resolution of 6 of the 13 vulnerabilities in the\nPlan of Action and Milestones listings before effective corrective actions were taken. Three of\nthese six vulnerabilities were not fully resolved as of the date of this report.\n\n\n\n\n7\n    Pub. L. No. 107-347, Title III, 116 Stat. 2946 (2002).\n                                                                                             Page 7\n\x0c                              Customer Account Data Engine Release 4\n                   Includes Most Planned Capabilities and Security Requirements\n                         for Processing Individual Tax Account Information\n\n\n\nIn addition, we found three additional weaknesses related to the disaster recovery process that\nthe IRS is not tracking in the Plan of Action and Milestones listings.\n    \xe2\x80\xa2   Training of disaster recovery personnel was not adequate. During September 2008\n        disaster recovery testing, the IRS determined that cross-training and knowledge transfer\n        was needed to ensure the Memphis Computing Center staff could reinstall the CADE in\n        the event the Martinsburg Computing Center staff and/or the PRIME contractor were not\n        available.\n    \xe2\x80\xa2   The CADE system\xe2\x80\x99s disaster recovery plan did not include sufficient detail, listed some\n        steps out of order, and did not contain all steps needed to restore the CADE system.\n        During the September 2008 disaster recovery testing, the IRS determined that the plan\n        still needed improvement to document all required steps in the proper sequence to allow\n        appropriate execution. This issue was previously reported during the 2007 disaster\n        recovery testing.\n    \xe2\x80\xa2   A complete recovery of the data on the mainframe computer is not feasible until\n        hardware capacity is increased. During the September 2008 disaster recovery testing, the\n        IRS determined that additional capacity was needed to restore all applications residing on\n        the mainframe computer. This issue was previously reported during the 2007 disaster\n        recovery testing.\nThe IRS Cybersecurity organization does not monitor system owners\xe2\x80\x99 compliance with IRS\npolicy to track all system vulnerabilities in the Plan of Action and Milestones listings. Further, it\ndoes not monitor system owners\xe2\x80\x99 compliance with IRS policy to verify that weaknesses are\ncorrected before reporting them as resolved on the Plan of Action and Milestones listing. The\nGovernment Accountability Office also reported8 in January 2009 that the IRS lacked an\neffective corrective action verification process to ensure it had taken the necessary actions to\ncorrect security weaknesses found in information systems.\nInadequate monitoring of vulnerabilities in the Plan of Action and Milestones listing and\nprematurely reporting vulnerabilities as resolved may decrease managerial attention to\nunresolved problems, prevent allocation of resources required to fix problems, and lead to delays\nin correcting vulnerabilities. Inaccurate Plan of Action and Milestones listing information\nprevents the Office of Management and Budget from obtaining an accurate status of the IRS\xe2\x80\x99\nsecurity weaknesses.\n\n\n\n\n8\n Information Security: Continued Efforts Needed to Address Significant Weaknesses at IRS (GAO-09-136, dated\nJanuary 2009).\n                                                                                                      Page 8\n\x0c                           Customer Account Data Engine Release 4\n                Includes Most Planned Capabilities and Security Requirements\n                      for Processing Individual Tax Account Information\n\n\n\nRecommendation\nRecommendation 1: The Chief Technology Officer should direct the Cybersecurity\norganization to take actions that ensure the CADE and mainframe computer system owners\na) appropriately enter and track system vulnerabilities on control systems, including the Plan of\nAction and Milestones listing and the Item Tracking Reporting and Control System, and b) verify\ncorrective actions are fully implemented before they are considered and reported as resolved.\n       Management\xe2\x80\x99s Response: The IRS agreed with our recommendation. The\n       Cybersecurity organization will continue to improve the process to ensure that system\n       owners comply with IRS policy to enter and track all system vulnerabilities in IRS\n       control systems.\n\n\n\n\n                                                                                          Page 9\n\x0c                                 Customer Account Data Engine Release 4\n                      Includes Most Planned Capabilities and Security Requirements\n                            for Processing Individual Tax Account Information\n\n\n\n                                                                                      Appendix I\n\n           Detailed Objectives, Scope, and Methodology\n\nThe overall objectives of this review were to assess the accuracy and completeness of the CADE1\nRelease 4 capabilities to enhance the processing of tax return information, determine whether\nthis release provides the intended benefits to the IRS and taxpayers, and determine whether the\nIRS has taken effective actions to correct security vulnerabilities on prior CADE system releases.\nTo accomplish our objectives, we:\nI.         Determined whether new requirements included in Release 4.1 accurately posted tax\n           return information to the CADE. Specifically, we determined whether the CADE:\n           A. Accepts tax returns with a surviving spouse filing status with dependent child.\n           B. Accurately processes the tax returns of decedent taxpayers.\n           C. Accurately generates the Additional Child Tax Credit Notice to eligible taxpayers\n              who did not claim the full amount of Child Tax Credit.\n           D. Accurately generates the Electronic Fund Transfer Notice notifying taxpayers that\n              their electronic refund request cannot be honored.\n           E. Processes the filing of prior year tax returns.\n           F. Accepts the Treasury Offset Program transactions from the Accept and Route\n              Transactions application.\n           G. Processes changes to addresses.\nII.        Determined whether new requirements included in Release 4.2 accurately posted tax\n           return information to the CADE. Specifically, we determined whether the CADE:\n           A. Accepts revenue receipt transactions and generates applicable math error notices.\n           B. Revenue Receipt Balance and Control processing has been updated to accommodate\n              Revenue Receipt transactions deployed with Release 4.2.\n           C. Accurately processes Applications for Automatic Extension of Time To File U.S.\n              Individual Income Tax Return (Form 4868).\n           D. Accepts last name changes from taxpayers through tax return filings, the receipt of\n              Estimated Tax for Individuals (Form 1040-ES), or the National Account Profile file.\n\n\n1\n    See Appendix VI for a glossary of terms.\n                                                                                                Page 10\n\x0c                             Customer Account Data Engine Release 4\n                  Includes Most Planned Capabilities and Security Requirements\n                        for Processing Individual Tax Account Information\n\n\n\n        E. Has returned control of taxpayer accounts to the current processing environment for\n           those accounts identified to receive a penalty or debit interest.\n        F. Accurately processes the Economic Stimulus Payment/Recovery Rebate Credit.2\n        G. Accurately generates the non-math error notice to taxpayers with qualifying children\n           of potential Earned Income Credit.\nIII.    Determined whether the IRS has taken effective actions to correct security vulnerabilities\n        on prior CADE system releases. Specifically, we:\n        A. Assessed the current status of the 16 security vulnerabilities identified during the\n           audit on CADE Releases 2.2 and 3.1 security controls.3\n        B. Assessed the adequacy of corrective actions implemented on security vulnerabilities\n           identified during the audit on CADE Releases 2.2 and 3.1 security controls.\n\nValidity and reliability of data from computer-based systems\nWe obtained individual tax return data processed by the CADE and stored on the Modernized\nDatabase. We compared the data to information processed and stored in the Individual Master\nFile. We used the tax return identification number as the control to validate the accuracy of the\nmatching of the tax return information stored on the Modernized Database and the Individual\nMaster File. The data were sufficiently reliable to perform our audit analyses.\n\nAnalysis of CADE tax return samples\nTables 1 and 2 present the tax return information populations and samples we used to analyze\ntaxpayer account information processed by CADE Releases 4.1 and 4.2. Our reviews involved\nanalyses of Calendar Years 2008 and 2009 U.S. Individual Income Tax Returns (Form 1040 and\nForm 1040A) and Income Tax Returns for Single and Joint Filers With No Dependents\n(Form 1040EZ) filed and recorded to the CADE from July 2008 through April 2009. We used\nrandom sampling to ensure that each account had an equal chance of being selected, which\nenabled us to obtain sufficient evidence to support our results.\n\n\n\n\n2\n Pub. L. No. 110-185, 122 Stat. 613.\n3\n The Internal Revenue Service Deployed Two of Its Most Important Modernized Systems With Known Security\nVulnerabilities (Reference Number 2008-20-163, dated September 24, 2008).\n                                                                                                   Page 11\n\x0c                           Customer Account Data Engine Release 4\n                Includes Most Planned Capabilities and Security Requirements\n                      for Processing Individual Tax Account Information\n\n\n\n                    Table 1: Sample Selection of CADE Release 4.1\n                            Forms 1040, 1040A, and 1040EZ\n                       Filed From July Through December 2008\n\n          CADE Release 4.1 Capability Tested            Population             Sample Size\n         Surviving Spouse Tax Returns                        5                       5\n\n         Decedent Tax Returns                             2,708                     70\n         Additional Child Tax Credit Notice                  8                       8\n         Electronic Fund Transfer Refund                  1,068                     64\n         Notice\n         Prior Year Tax Returns                           2,867                     40\n         Treasury Offset Program                          1,773                     66\n         Changes to Address Processing                  1,479,905                   80\n       Source: Treasury Inspector General for Tax Administration extract of tax return account data\n       from the CADE and the Individual Master File for the period July through December 2008.\n\nDetailed Sample Parameters:\n   \xe2\x80\xa2   Surviving Spouse Tax Returns \xe2\x80\x93 We selected five individual income tax returns filed as\n       a surviving spouse [widow(er) with dependent child] filing status that had posted to the\n       CADE from July through October 2008.\n   \xe2\x80\xa2   Decedent Tax Returns \xe2\x80\x93 We selected 70 individual income tax returns filed as a\n       decedent return (1 or both taxpayers deceased) that had posted to the CADE from July\n       through November 2008.\n   \xe2\x80\xa2   Additional Child Tax Credit Notice \xe2\x80\x93 We selected eight individual income tax returns\n       that had posted to the CADE from August through October 2008 and were issued an\n       Additional Child Tax Credit Notice informing the taxpayer of potential credit to be\n       claimed.\n   \xe2\x80\xa2   Electronic Fund Transfer Refund Notice \xe2\x80\x93 We selected 64 individual income tax\n       returns that had posted to the CADE from August through October 2008 and were issued\n       an Electronic Fund Transfer Refund Notice informing the taxpayer that a paper refund\n       check will be issued instead of an electronic refund.\n   \xe2\x80\xa2   Prior Year Tax Returns \xe2\x80\x93 We selected 40 individual income tax returns filed as prior\n       year returns (Calendar Years 2005 and 2006) that had posted to the CADE from\n       July through October 2008.\n\n\n\n\n                                                                                                      Page 12\n\x0c                           Customer Account Data Engine Release 4\n                Includes Most Planned Capabilities and Security Requirements\n                      for Processing Individual Tax Account Information\n\n\n\n   \xe2\x80\xa2   Treasury Offset Program \xe2\x80\x93 We selected 66 individual income tax returns that had\n       posted to the CADE from July through October 2008 and had been identified by the IRS\n       to have their refund reduced due to an outstanding child support or Federal agency debt.\n   \xe2\x80\xa2   Changes to Address Processing \xe2\x80\x93 We selected 80 individual taxpayer accounts with\n       address changes processed by the CADE from July through December 2008.\n                    Table 2: Sample Selection of CADE Release 4.2\n                            Forms 1040, 1040A, and 1040EZ\n                        Filed From January Through April 2009\n\n          CADE Release 4.2 Capability Tested            Population             Sample Size\n         Revenue Receipt Transactions                    159,961                    220\n         Revenue Receipt Balance and Control             192,632                  192,632\n\n         Extension of Time to File                        8,942                     60\n         Last Name Changes                                93,036                    150\n         Generation of Earned Income Credit               4,791                     70\n         Notice\n         Economic Stimulus Payment/                       15,574                    64\n         Recovery Rebate Credit\n       Source: Treasury Inspector General for Tax Administration extract of tax return account data\n       from the CADE and the Individual Master File for the period January through April 2009.\n\nDetailed Sample Parameters:\n   \xe2\x80\xa2   Revenue Receipt Transactions \xe2\x80\x93 We selected 220 individual income tax accounts with\n       remittances received with original returns, estimated tax payments and declarations, and\n       requests for extension of time to file that had posted to the CADE from January through\n       March 2009.\n   \xe2\x80\xa2   Revenue Receipt Balance and Control \xe2\x80\x93 We selected 192,632 revenue receipt\n       transactions that had posted to the CADE from January through March 2009 and\n       compared the total dollar amounts to the CADE balance and control reports.\n   \xe2\x80\xa2   Extension of Time to File \xe2\x80\x93 We selected 60 individual income tax accounts with\n       extensions of time to file that had posted to the CADE from January through March 2009.\n   \xe2\x80\xa2   Last Name Changes \xe2\x80\x93 We selected 150 individual taxpayer accounts with last name\n       changes processed by the CADE from January through March 2009.\n\n\n\n\n                                                                                                      Page 13\n\x0c                        Customer Account Data Engine Release 4\n             Includes Most Planned Capabilities and Security Requirements\n                   for Processing Individual Tax Account Information\n\n\n\n\xe2\x80\xa2   Generation of Earned Income Credit Notice \xe2\x80\x93 We selected 70 individual income tax\n    returns with Earned Income Tax Credit notices generated by the CADE from February\n    through April 2009.\n\xe2\x80\xa2   Economic Stimulus Payment/Recovery Rebate Credit \xe2\x80\x93 We selected 64 individual\n    income tax returns with a Recovery Rebate Credit being claimed that had posted to the\n    CADE in January and February 2009.\n\n\n\n\n                                                                                    Page 14\n\x0c                           Customer Account Data Engine Release 4\n                Includes Most Planned Capabilities and Security Requirements\n                      for Processing Individual Tax Account Information\n\n\n\n                                                                               Appendix II\n\n                 Major Contributors to This Report\n\nMargaret E. Begg, Acting Assistant Inspector General for Audit (Security and Information\nTechnology Services)\nScott A. Macfarlane, Director\nEdward A. Neuwirth, Audit Manager\nMichael A. Garcia, Senior Auditor\nJody Kitazono, Senior Auditor\nBeverly Tamanaha, Senior Auditor\nSuzanne Westcott, Auditor\nArlene Feskanich, Senior Information Technology Specialist\nRichard Hillelson, Information Technology Specialist\nMartha Stewart, Information Technology Specialist\n\n\n\n\n                                                                                       Page 15\n\x0c                          Customer Account Data Engine Release 4\n               Includes Most Planned Capabilities and Security Requirements\n                     for Processing Individual Tax Account Information\n\n\n\n                                                                         Appendix III\n\n                        Report Distribution List\n\nCommissioner C\nOffice of the Commissioner \xe2\x80\x93 Attn: Chief of Staff C\nDeputy Commissioner for Operations Support OS\nDeputy Commissioner for Services and Enforcement SE\nChief Information Officer OS:CTO\nDeputy Commissioner, Wage and Investment Division SE:W\nAssociate Chief Information Officer, Applications Development OS:CTO:AD\nDirector, Customer Account Services, Wage and Investment Division SE:W:CAS\nDirector, Strategy and Finance, Wage and Investment Division SE:W:S\nDirector, Submission Processing, Wage and Investment Division SE:W:CAS:SP\nChief, Performance Improvement, Wage and Investment Division SE:W:S:PI\nDirector, Test Assurance and Documentation OS:CTO:AD:TAD\nChief Counsel CC\nNational Taxpayer Advocate TA\nDirector, Office of Legislative Affairs CL:LA\nDirector, Office of Program Evaluation and Risk Analysis RAS:O\nOffice of Internal Control OS:CFO:CPIC:IC\nAudit Liaisons:\n       Chief Technology Officer OS:CTO\n       Commissioner, Wage and Investment Division SE:W\n       Associate Chief Information Officer, Applications Development OS:CTO:AD\n       Senior Operations Advisor, Wage and Investment Division SE:W:S\n       Director, Program Oversight OS:CTO:SM:PO\n       Chief, GAO/TIGTA/Legislative Implementation Branch SE:S:CLD:PSP:GTL\n\n\n\n\n                                                                                 Page 16\n\x0c                                 Customer Account Data Engine Release 4\n                      Includes Most Planned Capabilities and Security Requirements\n                            for Processing Individual Tax Account Information\n\n\n\n                                                                                               Appendix IV\n\n    Customer Account Data Engine Release Capabilities\n\nThe IRS is implementing the CADE in a series of releases1 over several years. Table 1 describes\nthe capabilities implemented in Releases 1 and 2.\n                       Table 1: CADE Release 1 and Release 2 Capabilities\n\n         CADE               Start of\n         Release           Processing                     Capabilities Added for Each Release\n      Release 1.1      July 2004               Form 1040EZ for single filers and joint filers with no\n                                               dependents.\n                                               Single filing status only.\n      Release 1.2      January 2005            Tax law changes for filing season.\n      Release 1.3.2    January 2006            Forms 1040 and 1040A with no dependents and no\n                                               attachments or schedules.\n                                               Address changes on returns.\n      Release 2.1      September 2006          Returns with Head of Household filing status.\n                                               Returns with Schedules A, B, and R.\n                                               Returns with limited name changes.\n                                               United States Postal Service address change updates.\n      Release 2.2      March 2007              Form 1040EZ-T.\n                                               Returns with Married Filing Jointly and Married Filing\n                                               Separately filing statuses.\n                                               Credit for Federal Telephone Excise Tax paid.\n    Source: The IRS Applications Development organization.\n    Form 1040 \xe2\x80\x93 U.S. Individual Income Tax Return\n    Form 1040A \xe2\x80\x93 U.S. Individual Income Tax Return\n    Form 1040EZ \xe2\x80\x93 Income Tax Return for Single and Joint Filers With No Dependents\n    Form 1040EZ-T \xe2\x80\x93 Request for Refund of Federal Telephone Excise Tax\n    Schedule A (Form 1040) \xe2\x80\x93 Itemized Deductions\n    Schedule B (Form 1040) \xe2\x80\x93 Interest and Ordinary Dividends\n    Schedule R (Form 1040) \xe2\x80\x93 Credit for the Elderly or the Disabled\n\n\n\n\n1\n    See Appendix VI for a glossary of terms.\n                                                                                                        Page 17\n\x0c                              Customer Account Data Engine Release 4\n                   Includes Most Planned Capabilities and Security Requirements\n                         for Processing Individual Tax Account Information\n\n\n\n The IRS initially planned to implement 17 requirements for Release 3 and divided the\n requirements delivery into 2 subreleases, Releases 3.1 and 3.2. Table 2 presents the capabilities\n for Release 3.1, which was completed in October 2007.\n                             Table 2: CADE Release 3.1 Capabilities\n\n        Capability                                Description                            Date Deployed\n Disaster Area Designation Adds the processing necessary to accept Disaster\n                           Area transactions. Maintains all information\n                                                                                         August 9, 2007\n                           necessary to determine disaster start and end dates\n                           and to change business rules as necessary based\n                           on requirements gathering.\n Add Indicator to Legacy      Adds an indicator to the balance section of the            August 9, 2007\n Account Formatted File       entity on the Legacy Account Formatted File\n Online Entity to Show        Online showing that an account is \xe2\x80\x9cin transit\xe2\x80\x9d\n Account Is \xe2\x80\x9cIn Transit\xe2\x80\x9d      when it has been sent to the Individual Master File\n                              from the CADE.\n Validate Module Balance      Validates the CADE account balance and updates             August 9, 2007\n When Updating Tax            the Legacy Account Formatted File Online.\n Modules on Legacy\n Account Formatted File\n Online\n Enterprise Application       Develops or provides address change services to           October 1, 2007\n Integration Broker           support online requests originated from the IRS\n                              Enterprise Application Integration Broker.\nSource: The IRS Wage and Investment Division and the Modernization and Information Technology Services\nApplications Development organization.\n\n\n\n\n                                                                                                    Page 18\n\x0c                                  Customer Account Data Engine Release 4\n                       Includes Most Planned Capabilities and Security Requirements\n                             for Processing Individual Tax Account Information\n\n\n\n The IRS completed Release 3.2 in February 2008. Table 3 presents the capabilities for\n Release 3.2.\n                                 Table 3: CADE Release 3.2 Capabilities\n\n            Capability                              Description                        Date Deployed\n Issuance of                       Sends notifications to taxpayers when              January 14, 2008\n Math Error Notices                discrepancies are found during tax return\n                                   processing.\n Child and Dependent Care          Processes information from taxpayers who          February 11, 2008\n Expenses (Form 2441)              have filed Form 1040/Form 2441 or\n Credit                            Form 1040A/Child and Dependent Care\n                                   Expenses for Form 1040A Filers\n                                   (Schedule 2) to take the credit for child and\n                                   dependent care expenses.\n Earned Income Credit              Processes Form 1040/1040A with                    February 11, 2008\n (Schedule EIC)                    Schedule EIC. Uses the Earned Income Tax\n                                   Credit information to identify those eligible\n                                   tax returns that have Earned Income Tax\n                                   Credit-qualifying dependents.\n Dependent Database                Expands capabilities to allow the CADE to         February 11, 2008\n Interface                         accept all dependents and to process the\n                                   Earned Income Tax Credit.\n Split Refunds                     Provides taxpayers with the ability to deposit    February 25, 2008\n                                   their electronic refunds from tax returns into\n                                   multiple checking, savings, and/or retirement\n                                   accounts.\nSource: The IRS Wage and Investment Division and the Modernization and Information Technology Services\nApplications Development organization.\n\n On February 13, 2008, the President signed the Economic Stimulus Act of 2008,2 which\n provided taxpayers with payments of up to $600 for individuals and $1,200 for couples. This\n relief was available to everyone with adjusted gross income less than $75,000 for single\n individuals and $150,000 for married couples filing jointly. The payments were phased out for\n taxpayers above those income thresholds. Everyone eligible for this relief was also eligible to\n receive an additional $300 per child.\n The IRS added the ability to issue economic stimulus payments through the CADE on\n April 21, 2008. The first payments through the CADE were issued on April 28, 2008.\n\n\n 2\n     Pub. L. No. 110-185, 122 Stat. 613.\n                                                                                                    Page 19\n\x0c                               Customer Account Data Engine Release 4\n                    Includes Most Planned Capabilities and Security Requirements\n                          for Processing Individual Tax Account Information\n\n\n\n The IRS completed Release 4.1 in July 2008. Table 4 presents the capabilities for Release 4.1.\n                             Table 4: CADE Release 4.1 Capabilities\n\n         Capability                             Description                            Date Deployed\n Surviving Spouse              Processes tax returns with a surviving spouse            July 28, 2008\n                               filing status [widow(er) with dependent\n                               child]. A qualifying taxpayer may use this\n                               filing status only on the tax return for 2 years\n                               following the tax year of the death of the\n                               spouse, provided there are one or more\n                               dependent children. This filing status\n                               benefits the surviving taxpayer, in that they\n                               will be able to use the joint tax table after the\n                               death of a spouse.\n Decedents                     Processes the tax returns of decedent                    July 28, 2008\n                               taxpayers. The release updates the account\n                               name line indicating that the taxpayer is\n                               deceased and updates the mail filing\n                               requirement associated with the taxpayer to\n                               avoid sending forms to deceased taxpayers.\n                               The release records the taxpayer\xe2\x80\x99s date of\n                               death and prepares a refund for either a\n                               surviving spouse or designated representative\n                               as applicable.\n Changes to Address            Updates account addresses and ZIP codes.                 July 28, 2008\n Processing\n Additional Child Tax          Generates a notice to the taxpayer in the                July 28, 2008\n Credit Notice                 event the taxpayer was not able to claim the\n                               full amount of Child Tax Credit and is\n                               eligible for the Additional Child Tax Credit.\n Electronic Fund Transfer      Generates a notice to alert taxpayers                    July 28, 2008\n Notice                        whenever an electronic refund is changed to\n                               a paper check.\n Treasury Offset Program       Applies a taxpayer\xe2\x80\x99s overpayment to                      July 28, 2008\n                               outstanding non-tax child support or Federal\n                               agency debt prior to crediting an\n                               overpayment to a future tax or making a\n                               refund.\nSource: The IRS Wage and Investment Division and the Modernization and Information Technology Services\nApplications Development organization.\n\n\n                                                                                                    Page 20\n\x0c                              Customer Account Data Engine Release 4\n                   Includes Most Planned Capabilities and Security Requirements\n                         for Processing Individual Tax Account Information\n\n\n\n The IRS completed Release 4.2 in January 2009. Table 5 presents the capabilities for\n Release 4.2.\n                             Table 5: CADE Release 4.2 Capabilities\n\n         Capability                             Description                            Date Deployed\n Revenue Receipt               Accepts Revenue Receipt transactions                   January 19, 2009\n Transactions                  resulting from remittances received with\n                               original returns, estimated tax payments and\n                               declarations, and payments received with\n                               requests for extension of time to file.\n Revenue Receipt Balance       The balancing and reconciliation of data               January 19, 2009\n and Control                   within the CADE include three major\n                               components: initialization (the transfer of\n                               taxpayer account data from existing IRS\n                               systems to the modernized CADE system);\n                               daily processing (the editing, processing, and\n                               record keeping of all transactions); and\n                               weekly processing (external and internal\n                               balancing of all processing and transactions\n                               for the week).\n Extension to File Tax         Processes Application for Automatic                    January 19, 2009\n Returns                       Extension of Time To File U.S. Individual\n                               Income Tax Return (Form 4868). If\n                               taxpayers cannot meet the tax return filing\n                               deadline they can request an extension to the\n                               due date of their tax return using Form 4868.\n Last Name Changes             Establishes a new process to update                    January 19, 2009\n                               taxpayers\xe2\x80\x99 names for CADE accounts.\n Penalty and Interest          Identifies taxpayers subject to a penalty or           January 19, 2009\n Potential                     debit interest resulting from the timeliness of\n                               payments made with or prior to filing their\n                               tax returns. These returns should not be\n                               recorded in the CADE. Instead, the\n                               transaction and the taxpayer\xe2\x80\x99s account should\n                               be restored to the Individual Master File.\n Potential to Claim the        Generates a notice to inform taxpayers with            January 19, 2009\n Earned Income Credit          qualifying child(ren) of the potential to claim\n                               the Earned Income Credit.\nSource: The IRS Wage and Investment Division and the Modernization and Information Technology Services\nApplications Development organization.\n\n\n                                                                                                    Page 21\n\x0c                                 Customer Account Data Engine Release 4\n                      Includes Most Planned Capabilities and Security Requirements\n                            for Processing Individual Tax Account Information\n\n\n\n                                                                                      Appendix V\n\n        Customer Account Data Engine System Security\n            Vulnerabilities and Status of Resolution\n\n         Security Vulnerability                Vulnerability Status\n1        The CADE1 Disaster Recovery           Resolved. While testing occurred in 2007 and 2008, the\n         Plan and the Information              testing identified deficiencies that the mainframe\n         Technology Contingency Plan           computer system owner should be tracking in the Plan\n         had not been sufficiently tested.     of Action and Milestones listing.\n2        Backup tapes from the offsite         Resolved. Problems with backup tapes during 2007\n         storage facility were not tested      testing were resolved during 2008 testing.\n         at the original site or alternative\n         site.\n3        CADE personally identifiable          Resolved. IRS implemented encryption for backup data\n         information backed up on tapes,       and data shared externally in April 2008.\n         disks, and compact discs, and\n         data shared with external\n         agencies, were not encrypted.\n4        The CADE did not have the             Resolved. Inconsistencies in design documents where\n         ability to identify and process       this issue was identified were resolved in May 2008.\n         all error codes.\n5        Interconnection Security              Resolved. Deficiencies in the agreements were resolved\n         Agreements were not in place          in March 2008.\n         or did not contain complete and\n         current interface information.\n6        Malicious code protection was         Resolved. However, the IRS mainframe computer\n         not implemented.                      system security plan needs improvement to adequately\n                                               describe how the system implements malicious code\n                                               protection.\n\n\n\n\n1\n    See Appendix VI for a glossary of terms.\n                                                                                              Page 22\n\x0c                           Customer Account Data Engine Release 4\n                Includes Most Planned Capabilities and Security Requirements\n                      for Processing Individual Tax Account Information\n\n\n\n     Security Vulnerability              Vulnerability Status\n7    Unauthorized access to              Resolved. However, the CADE privacy impact\n     personally identifiable             assessment needs improvement to correct inaccurate and\n     information could occur in          incomplete information. The CADE project team hired\n     mainframe computer memory,          a privacy engineer to address ongoing privacy risks.\n     disk space, and tapes because\n     the data were not removed\n     before the media were reused.\n8    Security events and                 Resolved. Reported as resolved prematurely in the IRS\n     unauthorized access to taxpayer     mainframe computer Plan of Action and Milestones\n     accounts by privileged CADE         listing on October 15, 2007. A new audit logging tool\n     users were not captured.            was installed on March 9, 2009.\n9    Contractors could make              Resolved. Reported as resolved prematurely in the\n     changes to system configuration     CADE Plan of Action and Milestones listing on\n     settings without notice,            June 7, 2007. Improper privileges for two contractors\n     approval, or security checks.       were not revoked until March 2008.\n10   The CADE development staff          Resolved. Reported as resolved prematurely in the\n     did not test security features      CADE Plan of Action and Milestones listing on\n     before releasing the application    January 10, 2008. The CADE developer performed\n     code.                               security testing for CADE Release 4.2 in\n                                         September 2008.\n11   Vulnerability scans of the          Unresolved. Reported as resolved prematurely in the\n     mainframe computer on which         IRS mainframe computer Plan of Action and Milestones\n     the CADE resides identified         listing on October 15, 2007. While the high-risk failure\n     one high-risk failure and several   associated with the Mainframe Policy Checker was\n     configurations that were not        resolved in January 2009, a process is not in place for\n     sufficient for protecting           ensuring vulnerabilities reported by all required\n     taxpayer data. These                recurring scans are reviewed, mitigated, or monitored in\n     vulnerabilities were not            the Plan of Action and Milestones listings.\n     corrected.\n12   The CADE did not employ an          Unresolved. Reported as resolved prematurely in the\n     application-specific                CADE Plan of Action and Milestones listing on\n     vulnerability scanning tool.        March 20, 2008. The first application-specific scan was\n                                         run in February 2009; however, a process is not in place\n                                         for ensuring vulnerabilities reported by all recurring\n                                         required scans are reviewed, mitigated, or monitored in\n                                         Plan of Action and Milestones listings.\n\n                                                                                         Page 23\n\x0c                               Customer Account Data Engine Release 4\n                    Includes Most Planned Capabilities and Security Requirements\n                          for Processing Individual Tax Account Information\n\n\n\n       Security Vulnerability                 Vulnerability Status\n 13    The system did not                     Unresolved. Reported as resolved prematurely in the\n       automatically terminate a              IRS mainframe computer Plan of Action and Milestones\n       session after 15 minutes of            listing on October 15, 2007. When the system owner\n       inactivity.                            cannot comply with IRS policy, an approved deviation\n                                              must be obtained from the Cybersecurity organization.\n 14    Personally identifiable                Unresolved. This vulnerability is documented in the\n       information data were                  IRS program-level Plan of Action and Milestones\n       transmitted in clear text within       listing. However, the use of nonsecure transmission\n       Computing Centers.                     protocols requires the mainframe computer system\n                                              owner to obtain an approved deviation.\n 15    The CADE did not have                  Unresolved. The CADE project team hired a privacy\n       adequate controls to ensure that       engineer to address ongoing privacy risks. The IRS is\n       minimal amounts of personally          tracking this privacy vulnerability in the Item Tracking\n       identifiable information               Reporting and Control System.\n       required for the particular\n       CADE release were collected,\n       stored, transferred, and\n       processed.\n 16    The CADE used live data in             Unresolved. The CADE project team hired a privacy\n       more than 18 test environments         engineer to address ongoing privacy risks. The IRS is\n       for application development            tracking this privacy vulnerability in the Item Tracking\n       testing, but the system owner          Reporting and Control System.\n       did not properly describe how\n       the CADE will acquire, use, and\n       dispose of the live data.\nSource: CADE project personnel in the Enterprise Operations, Modernization and Information Technology Services\nSecurity Engineering, and Office of Privacy organizations.\n\n\n\n\n                                                                                                     Page 24\n\x0c                           Customer Account Data Engine Release 4\n                Includes Most Planned Capabilities and Security Requirements\n                      for Processing Individual Tax Account Information\n\n\n\n                                                                             Appendix VI\n\n                              Glossary of Terms\n\n            Term                                        Definition\nComputing Centers              Support tax processing and information management through\n                               a data processing and telecommunications infrastructure.\nCustomer Account Data          A major component of the IRS modernization program. The\nEngine (CADE)                  CADE consists of current and planned databases and related\n                               applications that work with the IRS Master File system.\nDependent Database             A screening mechanism to score and select incoming tax\n                               returns based on questionable dependent claims.\nEarned Income Credit           A tax credit for certain people who work and have income\n                               under established limits.\nElectronic Federal Tax         A tax payment system provided free by the U.S. Department\nPayment System                 of the Treasury to pay Federal taxes electronically via the\n                               Internet or telephone.\nEnterprise Application         A commercial, off-the-shelf solution used to enable\nIntegration Broker             communication and data transformations among systems and\n                               applications.\nFiling Season                  The period from January through mid-April when most\n                               individual income tax returns are filed.\nForms 1040, 1040A, and         The series of IRS forms that include individual income tax\n1040EZ                         returns.\nIndividual Master File         The IRS database that maintains transactions or records of\n                               individual tax accounts.\nIntegrated Data Retrieval      The IRS computer system capable of retrieving or updating\nSystem                         stored information; it works in conjunction with a taxpayer\xe2\x80\x99s\n                               account records.\nItem Tracking Reporting and    An information system used to track and report on issues,\nControl System                 risks, and action items in the modernization effort.\nLegacy Account Formatted       A database containing CADE-processed tax information.\nFile Online\n\n                                                                                      Page 25\n\x0c                            Customer Account Data Engine Release 4\n                 Includes Most Planned Capabilities and Security Requirements\n                       for Processing Individual Tax Account Information\n\n\n\nMalicious Code                    Software designed to infiltrate or damage a computer system\n                                  without the owner\xe2\x80\x99s informed consent.\nMaster File                       The IRS database that stores various types of taxpayer\n                                  account information. This database includes individual,\n                                  business, and employee plans and exempt organizations data.\nModernized Database               A relational database that stores tax return information\n                                  processed by the CADE.\nNational Institute of Standards   A non-regulatory Federal agency, within the Department of\nand Technology                    Commerce, responsible for developing standards and\n                                  guidelines, including minimum requirements, for providing\n                                  adequate information security for all Federal Government\n                                  agency operations and assets.\nNotice                            A computer-generated message resulting from an analysis of\n                                  the taxpayer\xe2\x80\x99s account.\nPlan of Action and Milestones     A requirement for managing the security weaknesses\n                                  pertaining to a specific application or system. In addition to\n                                  noting weaknesses, each Plan of Action and Milestones item\n                                  details steps that need to be taken to correct or reduce any\n                                  weaknesses, as well as resources required to accomplish task\n                                  milestones and a correction timeline.\nPRIME contractor                  The Computer Sciences Corporation is the PRIME contractor,\n                                  which heads an alliance of leading technology companies\n                                  brought together to assist with the IRS\xe2\x80\x99 efforts to modernize\n                                  its computer systems and related information technology.\nRelease                           A specific edition of software.\nRequirement                       A formalization of a need and statement of a capability or\n                                  condition that a system must have or meet to satisfy a\n                                  contract, standard, or specification.\nSubmission Processing Site        IRS campuses that process paper and electronic submissions,\n                                  correct errors, and forward data to the Computing Centers for\n                                  analysis and posting to taxpayer accounts.\nTaxpayer Information File         The Integrated Data Retrieval System\xe2\x80\x99s major database.\nZIP Code                          The Zoning Improvement Plan instituted by the United States\n                                  Postal Service to facilitate mail handling and delivery.\n\n\n\n                                                                                             Page 26\n\x0c               Customer Account Data Engine Release 4\n    Includes Most Planned Capabilities and Security Requirements\n          for Processing Individual Tax Account Information\n\n\n\n                                                   Appendix VII\n\nManagement\xe2\x80\x99s Response to the Draft Report\n\n\n\n\n                                                           Page 27\n\x0c           Customer Account Data Engine Release 4\nIncludes Most Planned Capabilities and Security Requirements\n      for Processing Individual Tax Account Information\n\n\n\n\n                                                       Page 28\n\x0c'